AWS Managed VPN

Amazon VPC provides the option of creating an IPsec VPN connection
between remote customer networks and their Amazon VPC over the
internet, as shown in the following figure. Consider taking this
approach when you want to take advantage of an AWS managed VPN
endpoint that includes automated multi–data center redundancy and
failover built into the AWS side of the VPN connection. Although
not shown, the Amazon virtual private gateway represents two
distinct VPN endpoints, physically located in separate data
centers to increase the availability of your VPN connection.

Figure: AWS managed VPN

The virtual private gateway also supports and encourages multiple
user gateway connections so you can implement redundancy and
failover on your side of the VPN connection as shown in the
following figure. Both dynamic and static routing options are
provided to give you flexibility in your routing configuration.
Dynamic routing uses BGP peering to exchange routing information
between AWS and these remote endpoints. With dynamic routing, you
can also specify routing priorities, policies, and weights
(metrics) in your BGP advertisements and influence the network
path between your networks and AWS.

It is important to note that when you use BGP, both the IPSec and
the BGP connections must be terminated on the same user gateway
device, so it must be capable of terminating both IPSec and BGP
connections.